Description
The WPG plugin before 3.1.0.0 for IrfanView 4.57 has a user-mode write access violation starting at WPG+0x0000000000012ec6, which might allow remote attackers to execute arbitrary code.
Affected Software
Related
{"id": "CVE-2021-27224", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2021-27224", "description": "The WPG plugin before 3.1.0.0 for IrfanView 4.57 has a user-mode write access violation starting at WPG+0x0000000000012ec6, which might allow remote attackers to execute arbitrary code.", "published": "2021-02-17T16:15:00", "modified": "2021-02-22T21:22:00", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0}, "severity": "MEDIUM", "exploitabilityScore": 10.0, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-27224", "reporter": "cve@mitre.org", "references": ["https://sec-consult.com/vulnerability-lab/advisory/multiple-vulnerabilities-irfanview-wpg/", "https://www.irfanview.com/plugins.htm", "http://packetstormsecurity.com/files/161449/IrfanView-4.57-Denial-Of-Service-Code-Execution.html"], "cvelist": ["CVE-2021-27224"], "immutableFields": [], "lastseen": "2022-03-23T15:59:41", "viewCount": 40, "enchantments": {"dependencies": {"references": [{"type": "zdt", "idList": ["1337DAY-ID-35835"]}], "rev": 4}, "score": {"value": 7.3, "vector": "NONE"}, "twitter": {"counter": 4, "modified": "2021-02-18T14:40:58", "tweets": [{"link": "https://twitter.com/WolfgangSesin/status/1362803087107379207", "text": "New post from https://t.co/uXvPWJy6tj?amp=1 (WPG Plugin prior 3.1.0.0 on IrfanView memory corruption [CVE-2021-27224]) has been published on https://t.co/154JfDrsam?amp=1"}, {"link": "https://twitter.com/WolfgangSesin/status/1362803087107379207", "text": "New post from https://t.co/uXvPWJy6tj?amp=1 (WPG Plugin prior 3.1.0.0 on IrfanView memory corruption [CVE-2021-27224]) has been published on https://t.co/154JfDrsam?amp=1"}, {"link": "https://twitter.com/www_sesin_at/status/1362803095865090062", "text": "New post from https://t.co/9KYxtdZjkl?amp=1 (WPG Plugin prior 3.1.0.0 on IrfanView memory corruption [CVE-2021-27224]) has been published on https://t.co/lV22UJj3WL?amp=1"}, {"link": "https://twitter.com/www_sesin_at/status/1362803095865090062", "text": "New post from https://t.co/9KYxtdZjkl?amp=1 (WPG Plugin prior 3.1.0.0 on IrfanView memory corruption [CVE-2021-27224]) has been published on https://t.co/lV22UJj3WL?amp=1"}]}, "backreferences": {"references": [{"type": "zdt", "idList": ["1337DAY-ID-35835"]}]}, "exploitation": null, "vulnersScore": 7.3}, "_state": {"dependencies": 0}, "_internal": {}, "cna_cvss": {"cna": null, "cvss": {}}, "cpe": [], "cpe23": [], "cwe": ["CWE-787"], "affectedSoftware": [{"cpeName": "irfanview:wpg", "version": "3.1.0.0", "operator": "lt", "name": "irfanview wpg"}], "affectedConfiguration": [{"name": "irfanview", "cpeName": "irfanview:irfanview", "version": "4.57", "operator": "eq"}], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "AND", "children": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:a:irfanview:wpg:3.1.0.0:*:*:*:*:*:*:*", "versionEndExcluding": "3.1.0.0", "cpe_name": []}]}, {"operator": "OR", "children": [], "cpe_match": [{"vulnerable": false, "cpe23Uri": "cpe:2.3:a:irfanview:irfanview:4.57:*:*:*:*:*:*:*", "cpe_name": []}]}], "cpe_match": []}]}, "extraReferences": [{"url": "https://sec-consult.com/vulnerability-lab/advisory/multiple-vulnerabilities-irfanview-wpg/", "name": "https://sec-consult.com/vulnerability-lab/advisory/multiple-vulnerabilities-irfanview-wpg/", "refsource": "MISC", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://www.irfanview.com/plugins.htm", "name": "https://www.irfanview.com/plugins.htm", "refsource": "MISC", "tags": ["Vendor Advisory"]}, {"url": "http://packetstormsecurity.com/files/161449/IrfanView-4.57-Denial-Of-Service-Code-Execution.html", "name": "http://packetstormsecurity.com/files/161449/IrfanView-4.57-Denial-Of-Service-Code-Execution.html", "refsource": "MISC", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"]}]}
{"zdt": [{"lastseen": "2022-06-07T20:13:49", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-02-17T00:00:00", "type": "zdt", "title": "IrfanView 4.57 Denial Of Service / Code Execution Vulnerabilities", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-27224"], "modified": "2021-02-17T00:00:00", "id": "1337DAY-ID-35835", "href": "https://0day.today/exploit/description/35835", "sourceData": "=======================================================================\n title: Multiple Vulnerabilities\n product: IrfanView - WPG.dll plugin\n vulnerable version: IrfanView 4.57/WPG.dll version 2.0.0.0\n fixed version: WPG.dll version 3.1.0.0\n CVE number: CVE-2021-27224\n impact: Medium\n homepage: https://www.irfanview.com\n found: 2021-02-03\n by: Samandeep Singh (Office Singapore)\n SEC Consult Vulnerability Lab\n\n An integrated part of SEC Consult, an Atos company\n Europe | Asia | North America\n\n https://www.sec-consult.com\n\n=======================================================================\n\nVendor description:\n-------------------\n\"IrfanView was the first Windows graphic viewer worldwide with Multiple\n(animated) GIF support. One of the first graphic viewers worldwide with\nMultipage TIF support. The first graphic viewer worldwide with Multiple\nICO support.\"\n\nSource: https://www.irfanview.com/main_what_is_engl.htm\n\n\nBusiness recommendation:\n------------------------\nSEC Consult recommends upgrading to the latest available version which patches\nthe security issues.\n\n\nVulnerability overview/description:\n-----------------------------------\nIrfanView's WPG file parsing library suffers from multiple vulnerabilities.\nThese vulnerabilities can cause application denial of service as well as\narbitrary code execution in the worst case scenario. The vulnerabilities can be\nexploited by an attacker by making the user open a WPG file using IrfanView.\n\nThe following vulnerabilities were discovered:\n\n1. Out of Bound Write causing Denial of Service (CVE-2021-27224)\n2. Access violation causing Denial of Service while attempting to read from\n unallocated/freed memory\n\nNote: The vulnerabilities were discovered by fuzzing the WPG.DLL library.\n\n\nProof of concept:\n-----------------\n1. Out of Bound Write causing Denial of Service\n\nBelow is an excerpt of the decompiled function where the out-of-bound write occurs:\n\n\n signed int __usercall [email\u00a0protected]<eax>(char [email\u00a0protected]<al>, signed int a2)\n {\n signed int result; // eax\n\n switch ( *(_WORD *)(a2 - 10) )\n {\n case 1:\n *(_BYTE *)(*(_DWORD *)(a2 - 20) + *(_DWORD *)(a2 - 28) / 8 + *(_DWORD *)(a2 - 24) * *(_DWORD *)(a2 - 4)) = a1;\n *(_DWORD *)(a2 - 28) += 8;\n break;\n case 2:\n *(_BYTE *)(*(_DWORD *)(a2 - 20) + *(_DWORD *)(a2 - 28) / 4 + *(_DWORD *)(a2 - 24) * *(_DWORD *)(a2 - 4)) = a1;\n *(_DWORD *)(a2 - 28) += 4;\n break;\n case 4:\n *(_BYTE *)(*(_DWORD *)(a2 - 20) + *(_DWORD *)(a2 - 28) / 2 + *(_DWORD *)(a2 - 24) * *(_DWORD *)(a2 - 4)) = a1;\n *(_DWORD *)(a2 - 28) += 2;\n break;\n case 8:\n *(_BYTE *)(*(_DWORD *)(a2 - 20) + (*(_DWORD *)(a2 - 28))++ + *(_DWORD *)(a2 - 24) * *(_DWORD *)(a2 - 4)) = a1;\n break;\n }\n result = *(_DWORD *)(a2 - 28);\n if ( result >= *(unsigned __int16 *)(a2 - 14) )\n {\n *(_DWORD *)(a2 - 28) = 0;\n result = a2;\n --*(_DWORD *)(result - 4);\n }\n return result;\n\n\nThe vulnerability is triggered in all the cases in the function above.\n\nAlso, following excerpt shows the decompiled function which is the caller of above\nfunction:\n\n int sub_7C4326C()\n int v21; // [esp+30h] [ebp-28h]\n v0 = 0;\n else if ( v1 - 129 < 0x7F )\n {\n v3 = v1 - 128;\n do\n {\n sub_7C42E78(*(_BYTE *)(v21 + v0), (signed int)&savedregs);\n --v3;\n }\n while ( v3 );\n ++v0;\n }\n\nBelow is the Windbg output when a malicious file is opened by IrfanView, along with\nthe result of windbg.\n\nExploitable plugin:\n\n 0:000> g\n [snip]\n ModLoad: 08340000 0835d000 D:\\Softwares\\IrfanView_downloads\\iView457_32\\Plugins\\WPG.DLL\n ModLoad: 08340000 0835d000 D:\\Softwares\\IrfanView_downloads\\iView457_32\\Plugins\\WPG.DLL\n ModLoad: 704b0000 704f2000 C:\\WINDOWS\\SysWOW64\\WINSTA.dll\n (32f0.c58): Access violation - code c0000005 (first chance)\n First chance exceptions are reported before any exception handling.\n This exception may be expected and handled.\n *** WARNING: Unable to verify checksum for D:\\Softwares\\IrfanView_downloads\\iView457_32\\Plugins\\WPG.DLL\n eax=16640cff ebx=0000002b ecx=166413e0 edx=ffffec14 esi=000004fb edi=08356c80\n eip=08352ec6 esp=001973f4 ebp=001973f4 iopl=0 nv up ei ng nz na pe nc\n cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210286\n WPG+0x12ec6:\n 08352ec6 880411 mov byte ptr [ecx+edx],al ds:002b:1663fff4=??\n 0:000> kv\n # ChildEBP RetAddr Args to Child\n WARNING: Stack unwind information not available. Following frames may be wrong.\n 00 001973f4 083534b7 00197470 0019740c 083534fc WPG+0x12ec6\n 01 00197470 08353a14 00197484 08353b1a 001974b4 WPG+0x134b7\n 02 001974b4 00486731 005a7c00 00197dac 001981bc WPG!ReadWPG_W+0x214\n 03 00197dc8 77c4b2e3 51162351 75dc4e5e 107e28f0 image00400000+0x86731\n 04 00197e70 70edc3ce 00198014 77be2c00 f7e1cf3f ntdll!RtlStdLogStackTrace+0x43 (FPO: [Non-Fpo])\n 05 00197e98 77c4b834 03faa7c8 00000000 70edad40 verifier!AVrfpDphWritePageHeapBlockInformation+0x9e (FPO: [Non-Fpo])\n 06 00197eb8 77c4b2e3 d8c27e53 07604000 07572b60 ntdll!RtlpStdLogCapturedStackTrace+0xfa (FPO: [Non-Fpo])\n 07 00197f5c 00197f6c 70ed7f5a 075716cc 00197f98 ntdll!RtlStdLogStackTrace+0x43 (FPO: [Non-Fpo])\n 08 00197f6c 70ed9822 70ed9848 70ed7f5a 075716cc 0x197f6c\n 09 00197f9c 70edae2f 07571000 07572b60 07571000 verifier!AVrfpDphPlaceOnDelayFree+0x262 (FPO: [Non-Fpo])\n 0a 00197fb4 77c52ca1 07570000 77bee5ba 77c52f11 verifier!AVrfDebugPageHeapFree+0xef (FPO: [Non-Fpo])\n 0b 00198024 77bb3c45 07604000 803eb45f 00000000 ntdll!RtlDebugFreeHeap+0x3e (FPO: [Non-Fpo])\n 0c 001981cc 00450020 0063006e 0064006f 006e0069 ntdll!RtlpFreeHeap+0xd5 (FPO: [Non-Fpo])\n 0d 001981f4 004d51a9 07577bf8 00000000 00596620 image00400000+0x50020\n 0e 00198ab0 00000000 00000000 00000000 00000001 image00400000+0xd51a9\n 0:000> !msec.exploitable\n\n !exploitable 1.6.0.0\n Exploitability Classification: EXPLOITABLE\n Recommended Bug Title: Exploitable - User Mode Write AV starting at WPG+0x0000000000012ec6 (Hash=0x7d95926e.0x254455d2)\n\nUser mode write access violations that are not near NULL are exploitable.\n\n\n2. Access violation causing Denial of Service while attempting to read from\nunallocated/freed memory\n\nExample 1:\n----------\nBelow is an excerpt of the decompiled function where the access violation occurs:\n\n DWORD ReadWPG_W(int [email\u00a0protected]<ebx>, int [email\u00a0protected]<edi>, int [email\u00a0protected]<esi>, int a4, wchar_t *a5, wchar_t *a6)\n {\n [SNIP]\n v9 = (*(int (__fastcall **)(System::TObject *, void *, signed int))(*(_DWORD *)dword_7C4687C + 12))(\n dword_7C4687C,\n &unk_7C46C80,\n 1);\n dword_7C46C84 = sub_7C42AB8(v9);\n\n [SNIP]\n }\n\nIn the above code, the address of \"dword_7C4687C + 12()\" is pointing to a memory\nlocation which is freed or unallocated and the exception occurs.\n\nBelow is the Windbg output when a malicious file is opened by IrfanView, along with\nthe result of windbg.\n\nExploitable plugin:\n\n 0:000> g\n [SNIP]\n ModLoad: 07420000 0743d000 D:\\Softwares\\IrfanView_downloads\\iView457_32\\Plugins\\WPG.DLL\n ModLoad: 07420000 0743d000 D:\\Softwares\\IrfanView_downloads\\iView457_32\\Plugins\\WPG.DLL\n ModLoad: 704b0000 704f2000 C:\\WINDOWS\\SysWOW64\\WINSTA.dll\n (1d38.313c): Access violation - code c0000005 (first chance)\n First chance exceptions are reported before any exception handling.\n This exception may be expected and handled.\n *** WARNING: Unable to verify checksum for D:\\Softwares\\IrfanView_downloads\\iView457_32\\Plugins\\WPG.DLL\n eax=16420b10 ebx=07436c80 ecx=00000001 edx=07436c80 esi=f0f0f0f0 edi=07436c80\n eip=07433933 esp=00197478 ebp=001974b4 iopl=0 nv up ei pl zr na pe nc\n cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210246\n WPG!ReadWPG_W+0x133:\n 07433933 ff560c call dword ptr [esi+0Ch] ds:002b:f0f0f0fc=????????\n 0:000> kv\n # ChildEBP RetAddr Args to Child\n WARNING: Stack unwind information not available. Following frames may be wrong.\n 00 001974b4 00486731 005a7c00 00197dac 001981bc WPG!ReadWPG_W+0x133\n 01 00197dc8 77c4b2e3 51162351 75dc4e5e 100f2374 image00400000+0x86731\n 02 00197e70 70edc3ce 00198014 77be2c00 90be46da ntdll!RtlStdLogStackTrace+0x43 (FPO: [Non-Fpo])\n 03 00197e98 77c4b834 03fca7c8 00000000 70edad40 verifier!AVrfpDphWritePageHeapBlockInformation+0x9e (FPO: [Non-Fpo])\n 04 00197eb8 77c4b2e3 d8c27e53 07624000 07592b60 ntdll!RtlpStdLogCapturedStackTrace+0xfa (FPO: [Non-Fpo])\n 05 00197f5c 00197f6c 70ed7f5a 075916cc 00197f98 ntdll!RtlStdLogStackTrace+0x43 (FPO: [Non-Fpo])\n 06 00197f6c 70ed9822 70ed9848 70ed7f5a 075916cc 0x197f6c\n 07 00197f9c 70edae2f 07591000 07592b60 07591000 verifier!AVrfpDphPlaceOnDelayFree+0x262 (FPO: [Non-Fpo])\n 08 00197fb4 77c52ca1 07590000 77bee5ba 77c52f11 verifier!AVrfDebugPageHeapFree+0xef (FPO: [Non-Fpo])\n 09 00198024 77bb3c45 07624000 e7613dba 00000000 ntdll!RtlDebugFreeHeap+0x3e (FPO: [Non-Fpo])\n 0a 001981cc 00450020 0063006e 0064006f 006e0069 ntdll!RtlpFreeHeap+0xd5 (FPO: [Non-Fpo])\n 0b 001981f4 004d51a9 07597bf8 00000000 00596620 image00400000+0x50020\n 0c 00198ab0 00000000 00000000 00000000 00000001 image00400000+0xd51a9\n 0:000> !msec.exploitable\n\n !exploitable 1.6.0.0\n Exploitability Classification: EXPLOITABLE\n Recommended Bug Title: Exploitable - Read Access Violation on Control Flow starting at WPG!ReadWPG_W+0x0000000000000133 (Hash=0x57561ac2.0x7ef88dfa)\n\nAccess violations not near null in control flow instructions are considered exploitable.\n\n\nExample 2:\n----------\nBelow is an excerpt of the decompiled function where the access violation occurs:\n\n signed int __fastcall System::SysFreeMem(void *a1){\n [SNIP]\n\n v10 = (_DWORD *)((char *)v11 + v4); // exception occurs here.\n if ( (_DWORD *)((char *)v11 + v4) != (_DWORD *)dword_7C46618 )\n if ( *v10 & 2 )\n {\n if ( (*v10 & 0x7FFFFFFC) < 4 )\n {\n dword_7C465C0 = 11;\n goto LABEL_29;\n }\n *v10 |= 1u;\n }\n [SNIP]\n }\n\n\nAlso, following excerpt shows the decompiled function which is the caller of above\nfunction:\n\n int __fastcall System::__linkproc__ FreeMem(int a1)\n {\n int v1; // eax\n int v2; // ebx\n\n if ( !a1 )\n return 0;\n v1 = off_7C4503C(); //System::SysFreeMem(void *a1) - calling the above function here.\n v2 = v1;\n if ( v1 )\n {\n LOBYTE(v1) = 2;\n System::Error(v1);\n }\n return v2;\n }\n\nBelow is the Windbg output when a malicious file is opened by IrfanView, along with\nthe result of windbg.\n\nExploitable plugin:\n\n 0:000> g\n [SNIP]\n ModLoad: 083f0000 0840d000 D:\\Softwares\\IrfanView_downloads\\iView457_32\\Plugins\\WPG.DLL\n ModLoad: 704b0000 704f2000 C:\\WINDOWS\\SysWOW64\\WINSTA.dll\n (27d0.7cc): Access violation - code c0000005 (first chance)\n First chance exceptions are reported before any exception handling.\n This exception may be expected and handled.\n *** WARNING: Unable to verify checksum for D:\\Softwares\\IrfanView_downloads\\iView457_32\\Plugins\\WPG.DLL\n eax=166c0c38 ebx=0001000c ecx=166b0c2c edx=00000008 esi=00000007 edi=08406c80\n eip=083f2634 esp=001973d8 ebp=001973f8 iopl=0 nv up ei pl nz ac pe nc\n cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210216\n WPG+0x2634:\n 083f2634 8b00 mov eax,dword ptr [eax] ds:002b:166c0c38=????????\n 0:000> kv\n # ChildEBP RetAddr Args to Child\n WARNING: Stack unwind information not available. Following frames may be wrong.\n 00 001973f8 083f29e3 0019742c 083f3f9e 00000775 WPG+0x2634\n 01 00197470 08403a14 00197484 08403b1a 001974b4 WPG+0x29e3\n 02 001974b4 00486731 005a7c00 00197dac 001981bc WPG!ReadWPG_W+0x214\n 03 00197dc8 77c4b2e3 51162351 75dc4e5e 17872f3c image00400000+0x86731\n 04 00197e70 70edc3ce 00198014 77be2c00 67f49c30 ntdll!RtlStdLogStackTrace+0x43 (FPO: [Non-Fpo])\n 05 00197e98 77c4b834 0403a7c8 00000000 70edad40 verifier!AVrfpDphWritePageHeapBlockInformation+0x9e (FPO: [Non-Fpo])\n 06 00197eb8 77c4b2e3 d8c27e53 07764000 076d2b60 ntdll!RtlpStdLogCapturedStackTrace+0xfa (FPO: [Non-Fpo])\n 07 00197f5c 00197f6c 70ed7f5a 076d16cc 00197f98 ntdll!RtlStdLogStackTrace+0x43 (FPO: [Non-Fpo])\n 08 00197f6c 70ed9822 70ed9848 70ed7f5a 076d16cc 0x197f6c\n 09 00197f9c 70edae2f 076d1000 076d2b60 076d1000 verifier!AVrfpDphPlaceOnDelayFree+0x262 (FPO: [Non-Fpo])\n 0a 00197fb4 77c52ca1 076d0000 77bee5ba 77c52f11 verifier!AVrfDebugPageHeapFree+0xef (FPO: [Non-Fpo])\n 0b 00198024 77bb3c45 07764000 102be750 00000000 ntdll!RtlDebugFreeHeap+0x3e (FPO: [Non-Fpo])\n 0c 001981cc 00450020 0063006e 0064006f 006e0069 ntdll!RtlpFreeHeap+0xd5 (FPO: [Non-Fpo])\n 0d 001981f4 004d51a9 076d7bf8 00000000 00596620 image00400000+0x50020\n 0e 00198ab0 00000000 00000000 00000000 00000001 image00400000+0xd51a9\n 0:000> !msec.exploitable\n\n !exploitable 1.6.0.0\n Exploitability Classification: UNKNOWN\n Recommended Bug Title: Data from Faulting Address controls Branch Selection starting at WPG+0x0000000000002634 (Hash=0x7d95926e.0xbc07e85c)\n\nThe data from the faulting address is later used to determine whether or not a branch\nis taken.\n\n\nVulnerable / tested versions:\n-----------------------------\nThe following version has been tested which was the latest version available at the\ntime of the test.\n\n* IrfanView 4.57/WPG.dll version 2.0.0.0 (Both x86 & x64 versions)\n\n\nVendor contact timeline:\n------------------------\n2021-02-07 | Contacting vendor with details of vulnerabilities through [email\u00a0protected]\n2021-02-08 | Vendor acknowledged the email and mentioned that fixed plugin will be available soon\n2021-02-12 | Vendor shared the new plugin with fixes\n2021-02-17 | Coordinated release of security advisory\n\n\nSolution:\n---------\nIt's recommended to update the WPG plugin to it's latest version 3.1.0.0:\nhttps://www.irfanview.com/plugins.htm\n\nDirect link for IrfanView 32 bit WPG plugin:\nhttps://www.irfanview.net/plugins/wpg_32.zip\n\nDirect link for IrfanView 64 bit WPG plugin:\nhttps://www.irfanview.net/plugins/wpg_64.zip\n", "sourceHref": "https://0day.today/exploit/35835", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}]}
CVE-2021-27224
